[jira] [Commented] (SCM-763) Password masking on linux does not work
[ https://issues.apache.org/jira/browse/SCM-763?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16422743#comment-16422743 ] Michael Osipov commented on SCM-763: The following has been tried in Konsole on Fedora 27: {noformat} mosipov@localhost SCM-763]$ mvn scm:list -Dpassword=toll [INFO] Scanning for projects... [INFO] [INFO] < net.sf.michael-o.dirctxsrc:dircontextsource >- [INFO] Building dircontextsource 2.1.1-SNAPSHOT [INFO] [ jar ]- [INFO] [INFO] --- maven-scm-plugin:1.9.6-SNAPSHOT:list (default-cli) @ dircontextsource --- [INFO] Executing: /bin/sh -c cd /tmp && svn --password '*' --no-auth-cache --non-interactive list --recursive file:///D:/Entwicklung/svn-repos/scm-svn-test-at-sign/branches/toll2/. [ERROR] Provider message: [ERROR] The svn command failed. [ERROR] Command output: [ERROR] svn: E170013: Unable to connect to a repository at URL 'file:///D:/Entwicklung/svn-repos/scm-svn-test-at-sign/branches/toll2' svn: E180001: Unable to open repository 'file:///D:/Entwicklung/svn-repos/scm-svn-test-at-sign/branches/toll2'{noformat} as well as with space {noformat} mosipov@localhost SCM-763]$ mvn scm:list -Dpassword=toll [INFO] Scanning for projects... [INFO] [INFO] < net.sf.michael-o.dirctxsrc:dircontextsource >- [INFO] Building dircontextsource 2.1.1-SNAPSHOT [INFO] [ jar ]- [INFO] [INFO] --- maven-scm-plugin:1.9.6-SNAPSHOT:list (default-cli) @ dircontextsource --- [INFO] Executing: /bin/sh -c cd /tmp && svn --password '*' --no-auth-cache --non-interactive list --recursive file:///D:/Entwicklung/svn-repos/scm-svn-test-at-sign/branches/toll2/. [ERROR] Provider message: [ERROR] The svn command failed. [ERROR] Command output: [ERROR] svn: E170013: Unable to connect to a repository at URL 'file:///D:/Entwicklung/svn-repos/scm-svn-test-at-sign/branches/toll2' svn: E180001: Unable to open repository 'file:///D:/Entwicklung/svn-repos/scm-svn-test-at-sign/branches/toll2' {noformat} Yes, there are shortcoming, but I cannot reproduce the depicted case. Can someone provide a test sample? > Password masking on linux does not work > --- > > Key: SCM-763 > URL: https://issues.apache.org/jira/browse/SCM-763 > Project: Maven SCM > Issue Type: Bug > Components: maven-scm-provider-svn >Affects Versions: 1.9 > Environment: Jenkins 1.502 on a SLES11 >Reporter: Tobias Kalmes >Priority: Major > > Passwords are not masked in the log output on Linux machines. The masking > works as intended on Windows machines. On linux machines tho the password is > printed in clear text. This seems to be a problem due to the additional > single quotes that are added around the parameters on linux machines. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (SCM-763) Password masking on linux does not work
[ https://issues.apache.org/jira/browse/SCM-763?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16422655#comment-16422655 ] Michael Osipov commented on SCM-763: For the record, it is also broken on Windows too: {noformat} PS D:\Entwicklung\Projekte\scm-svn-test-at-sign> mvn scm:list "-Dpassword=mumu ab" [INFO] Scanning for projects... [INFO] [INFO] < net.sf.michael-o.dirctxsrc:dircontextsource >- [INFO] Building dircontextsource 2.1.1-SNAPSHOT [INFO] [ jar ]- [INFO] [INFO] --- maven-scm-plugin:1.9.6-SNAPSHOT:list (default-cli) @ dircontextsource --- [INFO] Executing: cmd.exe /X /C "svn --password * ab" --no-auth-cache --non-interactive list --recursive file:///D:/Entwicklung/svn-repos/scm-svn-test-at-sign/branches/toll2/." [INFO] Working directory: C:\Users\mosipov\AppData\Local\Temp{noformat} > Password masking on linux does not work > --- > > Key: SCM-763 > URL: https://issues.apache.org/jira/browse/SCM-763 > Project: Maven SCM > Issue Type: Bug > Components: maven-scm-provider-svn >Affects Versions: 1.9 > Environment: Jenkins 1.502 on a SLES11 >Reporter: Tobias Kalmes >Priority: Major > > Passwords are not masked in the log output on Linux machines. The masking > works as intended on Windows machines. On linux machines tho the password is > printed in clear text. This seems to be a problem due to the additional > single quotes that are added around the parameters on linux machines. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (SCM-763) Password masking on linux does not work
[ https://issues.apache.org/jira/browse/SCM-763?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16404715#comment-16404715 ] Weston Bustraan commented on SCM-763: - [~michael-o], you are correct, the regex does treat the ending double quote as part of the password in your example; you would probably need a more complex routine or regex to perfectly handle that. However, the string produced by the password masking isn't intended to actually be executed by the OS; it is just printed on stdout for the user to see. The goal is to prevent the password from being printed to the log output and I believe that it still accomplishes that goal better than the original implementation. > Password masking on linux does not work > --- > > Key: SCM-763 > URL: https://issues.apache.org/jira/browse/SCM-763 > Project: Maven SCM > Issue Type: Bug > Components: maven-scm-provider-svn >Affects Versions: 1.9 > Environment: Jenkins 1.502 on a SLES11 >Reporter: Tobias Kalmes >Priority: Major > > Passwords are not masked in the log output on Linux machines. The masking > works as intended on Windows machines. On linux machines tho the password is > printed in clear text. This seems to be a problem due to the additional > single quotes that are added around the parameters on linux machines. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (SCM-763) Password masking on linux does not work
[ https://issues.apache.org/jira/browse/SCM-763?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16403773#comment-16403773 ] Michael Osipov commented on SCM-763: [~wbustraan], your improved version does not work: {code:java} public static void main(String[] args) { Commandline cl = new Commandline(new CmdShell()); cl.setExecutable("svn"); cl.createArg().setValue("--password"); cl.createArg().setValue("mumu"); System.out.println(cl); String clString = cl.toString(); final String mask = "'**'"; final Matcher matcher = Pattern.compile("(--password\\S*?\\s+)('[^']+?'|\"[^\"]+?\"|\\S+)") .matcher(clString); final StringBuffer replaced = new StringBuffer(); while (matcher.find()) { final String argPrefix = matcher.group(1); matcher.appendReplacement(replaced, argPrefix + mask); } matcher.appendTail(replaced); System.out.println(replaced.toString()); } {code} {noformat} cmd.exe /X /C "svn --password mumu" cmd.exe /X /C "svn --password '**' {noformat} > Password masking on linux does not work > --- > > Key: SCM-763 > URL: https://issues.apache.org/jira/browse/SCM-763 > Project: Maven SCM > Issue Type: Bug > Components: maven-scm-provider-svn >Affects Versions: 1.9 > Environment: Jenkins 1.502 on a SLES11 >Reporter: Tobias Kalmes >Priority: Major > > Passwords are not masked in the log output on Linux machines. The masking > works as intended on Windows machines. On linux machines tho the password is > printed in clear text. This seems to be a problem due to the additional > single quotes that are added around the parameters on linux machines. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (SCM-763) Password masking on linux does not work
[ https://issues.apache.org/jira/browse/SCM-763?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15876320#comment-15876320 ] Weston Bustraan commented on SCM-763: - This also occurs on Macs. The culprit is actually {{org.apache.maven.scm.provider.svn.svnexe.command.SvnCommandLineUtils.cryptPassword(Commandline)}} It has a rather... naïve, to be polite, implementation of the password masking. It only works if there is _exactly_ one space after {{--password}}. Any other condition and the password is not masked. So, if the command line string is this: {code}svn --username myusername --password swordfish --no-auth-cache --non-interactive --trust-server-cert info{code} ... the output is: {code}svn --username myusername --password '*' --no-auth-cache --non-interactive --trust-server-cert info{code} However, it appears that, at some point, a change was made elsewhere that wraps everything in quotes on *nix OSes: {code} 'svn' '--username' 'myusername' '--password' 'swordfish' '--no-auth-cache' '--non-interactive' '--trust-server-cert' 'info' {code} Now, since {{--password}} is followed immediately by a single quote, instead of a single space, the mask is inserted but does not replace the actual password: {code}'svn' '--username' 'myusername' '--password''*' 'swordfish' '--no-auth-cache' '--non-interactive' '--trust-server-cert' 'info'{code} Here is an improved version of {{cryptPassword}} using a regex in order to handle more diverse input: {code} public static String cryptPassword( Commandline cl ) { String clString = cl.toString(); final String mask = "'**'"; final Matcher matcher = Pattern.compile("(--password\\S*?\\s+)('[^']+?'|\"[^\"]+?\"|\\S+)") .matcher(clString); final StringBuffer replaced = new StringBuffer(); while (matcher.find()) { final String argPrefix = matcher.group(1); matcher.appendReplacement(replaced, argPrefix + mask); } matcher.appendTail(replaced); return replaced.toString(); } {code} > Password masking on linux does not work > --- > > Key: SCM-763 > URL: https://issues.apache.org/jira/browse/SCM-763 > Project: Maven SCM > Issue Type: Bug > Components: maven-scm-provider-svn >Affects Versions: 1.9 > Environment: Jenkins 1.502 on a SLES11 >Reporter: Tobias Kalmes > > Passwords are not masked in the log output on Linux machines. The masking > works as intended on Windows machines. On linux machines tho the password is > printed in clear text. This seems to be a problem due to the additional > single quotes that are added around the parameters on linux machines. -- This message was sent by Atlassian JIRA (v6.3.15#6346)